I noticed that PGP signatures have a "signed on" field. I was wondering if this is "trustworthy" information and if so how is it accomplished.

For example, I can't see how it could be trusted because someone could sign something a year ago and transmit it now or they could generate a fake date and I don't see how an outside system could tell whether it was actually signed on the specified date.

So is the signed on date to be trusted or is it just the word of the person who signed it?

2 Answers
2

The "signed on date" field of any signature message format is only trustworthy if you trust the signer to not

modify the software to include an arbitrary date (or use a software which allows setting the date) or

change his computer's system date.

So, if the signer wants to use this field to prove that this was signed at some time (specially, before some time), it is not trustworthy at all.

There are cryptographic means to certify that some data was signed at a certain point in time, but these use either a trusted third party (a signature service, which signs some digest of your message/signed message/... and a time stamp), or even a distributed system with a public time line.

An example would be something like the BitCoin block chain - for every piece of data referred from a block in the chain (i.e. from a transaction) you can be quite certain that it existed before the block was created, as long as the used hash functions are not broken. On the other hand, if you include in your signed data a hash of the latest block, your data bundle is certified to be newer than this block. (But of course, you could have recreated it later.)

It's a statement made by the signer, just like if I say that this message was written on 19 June 2012. Its value is context-dependent. Just like with a pen and paper, you can post-date or pre-date anything.

In general, there's no such thing as verified time. Over the years, there are many people who have tried to create trusted time services, but they've not been successful. I'm sure that there's at least one still out there, but when someone writes a comment here pointing out some trusted time product or service, it will do more to prove my point than refute it.

Even if you have a trusted time product or service, you've just punted the question. How do we know to trust the trusted time? There can be very good answers to this, but it's still a good question.